Re: backdoor in upstream xz/liblzma leading to ssh server compromise

[Jeffrey Walton <noloader () gmail com>]

On Fri, Mar 29, 2024 at 12:10 PM Andres Freund <andres () anarazel de> wrote:
> After observing a few odd symptoms around liblzma (part of the xz package) on
> Debian sid installations over the last weeks (logins with ssh taking a lot of
> CPU, valgrind errors) I figured out the answer:
>
> The upstream xz repository and the xz tarballs have been backdoored.
>
> At first I thought this was a compromise of debian's package, but it turns out
> to be upstream.
>
> == Compromised Release Tarball ==
>
> One portion of the backdoor is *solely in the distributed tarballs*. For
> easier reference, here's a link to debian's import of the tarball, but it is
> also present in the tarballs for 5.6.0 and 5.6.1:
>
> https://salsa.debian.org/debian/xz-utils/-/blob/debian/unstable/m4/build-to-host.m4?ref_type=heads#L63
>
> That line is *not* in the upstream source of build-to-host, nor is
> build-to-host used by xz in git.  However, it is present in the tarballs
> released upstream, except for the "source code" links, which I think github
> generates directly from the repository contents:
>
> https://github.com/tukaani-project/xz/releases/tag/v5.6.0
> https://github.com/tukaani-project/xz/releases/tag/v5.6.1
> [...]

In the past I worked with the xz author on some undefined behavior in
C. His name is Lasse Collin, <lasse.collin () tukaani org>. He was
responsive and helpful.

However, I used the sources from <https://tukaani.org/xz>, not GitHub.
And it was back in the v5.0 days, not v5.6 or v5.6.1.

I suppose it would be a good idea to give him the information.

Jeff